Why Isn't My Encrypted Data Masked?
If the Shield Platform Encryption service isn't available, you can mask data in some types of encrypted fields. Masking data helps you troubleshoot encryption key issues, not control user access to data. If you have data that you don't want some users to see, revisit those users' field-level security settings, record access settings, and object permissions.
Required Editions
| Available in both Salesforce Classic (not available in all orgs) and Lightning Experience. |
| Available in: Enterprise, Performance, and Unlimited Editions with the Salesforce Shield or Shield Platform Encryption licenses. |
| Available for free in Developer Edition. |
Encryption prevents outsiders from using your Salesforce data even if they manage to access it. It's not a way to hide data from authenticated users. User permissions are the only way to control data visibility for authenticated users. Encryption at rest is about logins, not permissions.
With Shield Platform Encryption, if a user has authorization to see a given set of data, that user sees that data whether it's encrypted or not.
- Authentication means that only legitimate users can get into your system. For example, a company's Salesforce org is only for use by active employees of that company. Non-employees aren't authenticated and are barred from logging in. If a non-employee somehow accesses the data, it's useless to them because it's encrypted.
- Authorization defines which data or features an authenticated user can use. For example, a sales associate can see and use data in the Leads object, but can't see the regional forecasts, which are intended for sales managers. Both the associate and the manager are properly logged in (authenticated), but their permissions (authorization) are different. Whether the data is encrypted doesn't make any difference to them.
Data can be masked but not encrypted, or encrypted but not masked. For example, regulators often require that only the last four digits of a credit card number be visible to users. Apps typically mask the rest of the number, meaning that they replace the digits with asterisks in the UI. Without encryption, you can still read the digits that are masked if you access the database where they’re stored.
In this way, masking and encryption are different solutions for different problems. You mask data to hide it from users who are authenticated but not authorized to see that data. You encrypt data to deter someone from stealing the data, and if they do, the data is useless to the thief.
Runtime Masking Notification
If you use Shield Platform Encryption to encrypt fields that you masked, for some fields you can encounter two types of in-field notification instead of the masking value for a field.
- When the field is encrypted but the encryption key has been destroyed
- When either the Shield Platform Encryption or the Masking service is unavailable
If either of these situations occurs, the field shows a value according to the table.
| Field Type | Destroyed Key | Service Unavailable |
|---|---|---|
| Email, Phone, Text, Text Area, Text Area (Long), URL | ????? | !!!!! |
| Custom Date | 08/08/1888 | 01/01/1777 |
| Custom Date/Time | 08/08/1888 12:00 PM | 01/01/1777 12:00 PM |
Notification values such as ????? and 01/01/1777 are strings reserved for masking notifications and can't be used as data values in encrypted fields. Although you're not restricted from saving a record with one of these reserved masking notification strings into an encrypted field, the field is saved with a blank value. For example, if a Date field is encrypted and you enter the value 07/07/1777, that field is empty when you save the record.
